UPDATE NOW —

Critical Git bug allows malicious code execution on client machines

All versions for Windows and Mac are vulnerable.

Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.

The critical vulnerability affects all Windows- and Mac-based versions of the official Git client and related software that interacts with Git repositories, according to an advisory published Thursday. The bug can be exploited to give remote code execution when the client software accesses booby-trapped Git repositories.

"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," Thursday's advisory warned. "Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem."

The vulnerability is sure to be a tempting one for blackhats to exploit, since it would haul in developers who have proved to be popular targets in the past. The advisory gave no indication the bug is being or has been actively exploited. Fortunately, repositories on github.com can't be booby-trapped because the site has added a verification process to check for malicious content. Other sites hosting repositories don't necessarily provide the same safety measure. Git users should upgrade immediately. Updated GitHub for Windows and GitHub for Mac are available here and here.